USER ID

User ids allow access to SAP applications. Each user must have a corresponding profile specifically assigned. In many situations, multiple composite profiles can be assigned to a user ID, depending on the role(s) an individual user is responsible for, in the business processes.

Authorizations

Authorizations are the key building blocks of SAP security. Authorization is the process of assigning values to fields present in authorization objects. In SAP, access to all system functionality is achieved through a complex array of authorizations. Sometimes users find that they lack the necessary authorizations to perform a certain function in the system, in which case the message: “You are not authorized…” is displayed at the bottom of the screen.

An authorization process may ask for second associated authorization process which in turn asks for third and so on. For example, the task of paying a vendor invoice may require 10 different authorizations.

 

Security Configuration in SAP

Security configuration and administration in SAP is a multi-phase process. Four key security components are required to ensure the adequate security, privacy, and integrity of information. The phases are as follows:

1. User Authentication

The first phase comprises confirmation of user identity and results in authentication of user. Unauthorized access to SAP system is prevented through this initial check. This ensures system integrity by regulating secure access through genuine user authentication.

2 Creating and Assigning Authorization Profiles

A Profile Generator (PG) is used to automatically generate and assign authorization profiles. This tool was released with SAP version 3.1g and above. The administrator can also create authorization profiles manually.

Note: Profile Generator can be retroactively installed in SAP versions 3.0f and above.

The authorization objects can be selected using the SAP Profile Generator. Administrators can automatically generate authorization profiles for function-specific access to SAP users after configuring initial settings.

The entire authorization functionality of SAP signifies a new approach to authorization. The administrator can define user authorization based on SAP functions. Based on the selected function, the PG groups objects in administrator-created authorization profiles.

Authorization profiles created by a Profile Generator are based on the given authorizations. It also speeds up the process and simplifies administrator/user communication facilitating both the administrator and users to use the same SAP function terminology. To auto-generate an Authorization profile, an Activity Group needs to be created.

Activity Groups contain simple profiles and usually represent employee or job roles. They are user-defined and allow administrator to organize and maintain system activities. Activity group when used as an information database reduces data entry time. Administrators can define activity groups in two steps:

1.    Selecting the criteria, such as access controls.

2.    Dividing the activities into appropriate groups.

For example, activities can be organized by functions, such as human resources, payroll, or administration or by job classes, such as computer programming activities, or accounting activities. A combination of function-specific activity and job-specific activity can also be implemented.

Security implementation with the new Profile Generator is based on the creation of activity groups or a collection of linked or associated activities, such as tasks, reports, and transactions.

Consider a business situation involving a company, ABC Inc. faced with transaction security hiccups in business dealings with its dealers. To address this problem, the company can create authorization profiles for its dealers using the profile generator features. This can be done by implementing the following instruction set:

• Instruction 1: A dealer activity group should be created. Name this activity group as Dealer.
• Instruction 2: All dealer-specific business transactions should be included in the activity group.
• Instruction 3: Generate an authorization profile for Dealers.
• Instruction 4: Assign Dealer to a “new user” or in your system and update master records.

Following this procedure will ensure complete functional access to the new user using the system as Dealer.